WHY is wp-login not hidden on some sites???

  • Version of the plugin : 6.0 – Hide Backend option, activated

    I already submitted a topic here but since then i rendered even more tests.
    I installed a duplicate of my site on my personal. WordPress, extensions, theme, content, it’s all the same.

    BUT on the public server wp-login is still visible when on my own server it is hidden like it should. HOOOOOOOW??? Can someone help me with that???

Viewing 10 replies - 1 through 10 (of 10 total)

  • @julianoe
    Start by asking the right question:

    WHY is wp-login not hidden on some sites SERVERS???

    Thread Starter julianoe_

    (@julianoe_)

    Sure, but in my experience i didn’t cornered any server characteristics that could prevent hiding wp-login. Also why would it work wp-admin and not wp-login?

    Do you have an idea?

    @julianoe_

    Also why would it work wp-admin and not wp-login?

    Because the file wp-admin.php does not exist …

    Another clue: wp-login is not a default slug for accessing the WordPress Dashboard.

    There are normally only 5 slugs to access the WordPress Dashboard:

    • wp-admin
    • login
    • admin
    • dashboard
    • wp-login.php

    As you can see ‘wp-login’ is not one of them.

    So this is an issue that is not related to WordPress nor the iTSec plugin.

    Thread Starter julianoe_

    (@julianoe_)

    My bad. Obviously i was talking about wp-login.php

    iThemesSecurity claims to be able to redirect traffic from /wp-admin and /wp-login.php to a /not_found page. And only allow connection through /customslug

    As you could certainly understand, the problem is /wp-admin is finely hidden, and /wp-login.php still allows users (and bot of course) to try to connect. On an other server, with the exact same website, /wp-login.php is well hidden.

    I’m eager to understand why…

    @julianoe_

    Ok, so https://www.example.com/wp-login.php is still giving you access to the login page (despite having enabled the iTSec plugin Hide Backend feature) ?

    I looked at your previous topics, where I strongly get the impression this is about accessing /wp-login …

    Thread Starter julianoe_

    (@julianoe_)

    Exactly. Talking about /wp-login.php

    As you said /wp-login does not exist anyway so… yeah i was talking about wp-login.php. Even with Hide Backend feature enabled (and working for /wp-admin)

    @julianoe_

    In that case you’ve lost me … just doesn’t make any sense.

    Check your .htaccess and see whether the plugin has written or not the rewrite rule.
    It is a common quirk ??

    @lucabarelli

    Thanks for the suggestion, but the rewriterule(s) in the .htaccess file only make the new (secret) slug(s) work.

    There is nothing added to the .htaccess file that will prevent access to the wp-login.php file.

    It’s iTSec plugin (Hide Backend) PHP code that blocks/redirects requests to the wp-login.php file after enabling the iTSec plugin Hide Backend module.

    This issue must be specific for @julianoe_ env.

    @julianoe_

    What happens when you access https://www.example.com/wp-login ?
    (It should normally return a 404).

    Hi Everyone.

    Me too. Only ‘wp-login’ can not hide with ‘iThemesSecurity hide back end’.
    This is a Vulnerability for brute force attack .

    My wordpress was attacked .
    Furthermore, in a thing unlucky , broke through the ‘wp-login’.
    My WordPress was invaded.Really frustrating.

    If it is not ‘.htaccess’, it may be ‘httpd.conf’ of ‘apache2.2’ or ‘php.ini’ etc…

    If shared web hosting , maybe we can not solve this problem.

    Only in the case of me, inspection example is lacking in it.
    But , On Nginx php7 VPS, it is no probrem .

    On shared web hosting apache2.2 , problem has occurred. now too.
    Linux distribution is unclear.Because it is a shared hosting.

    I am very sorry for my poor English.
    i am a Japanese.

    Thanks and regards

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WHY is wp-login not hidden on some sites???’ is closed to new replies.